Kiwicon 2016 Wrap Up

This November, the Springtimesoft team headed to Kiwicon in Wellington, taking on the earthquake, heavy rain, flooding and road closures to soak up some information with more than 2000 other attendees.

With some time to digest, here are our favourite takeaways from the week…

The highlights:

Out of the Browser into the Fire: Exploiting Native Web-based Applications

This was one of our favourite talks from Kiwicon as this is particularly relevant to the work we’re doing at Springtimesoft. It explored the risks of native clients vs traditional web applications by showing how easy it is to exploit JS inside of desktop apps built with web technologies and create worms or malicious links where the user doesn’t even realise that something malicious just happened in the background.
View the presentation info.

Luring developers with candy and other evil tricks

Eleanor Saitta’s (@dymaxion) talk on the way Etsy approaches security was enlightening. It covered lowering or removing the barriers between developer and security teams and having them work together more closely and the importance of making it okay to ask questions and not feel shy about bringing up potential security hazards. Also, Eleanor emphasised the need to really understand your products at a human level and make decisions based on humans! In terms of security, this means understanding who your attackers are and their motivations.

Defending the Gibson in the Age of Enlightenment

Keynote from Darren Bilby of Google - discussing some of the security strategies and implementations by Google over the past decade, and forecasting technologies to protect infrastructure in the future.

Radiation-induced cryptographic failures and how to defend against them

Peter Gutmann returned for his 10th year of Kiwicon with as crazy a talk as usual. This discussion explored the effects of radiation on computer security mechanisms (and computers in general), and how to protect against this. Not to mention having radioactive material on stage during the talk to keep things interesting!

Our top takeaways

Davi Ottenheimer’s talk on the flaws of machine learning and AI

Zane - “I took a lot away from Davi’s machine learning talk, in particular putting a lot of extra thought into the training data that is used for such projects to avoid bias as much as possible.”

NodeJS: Remote Code Execution as a Service talk

The need to be cautious about where NodeJS is being used in our stack due to a lack of signatures, and version pinning, making way for malicious library updates.

_blank slate

This was a practical takeaway from Jen’s talk “_blank slate” – a short but interesting talk about the exploit of target="_blank" via JS. These mitigations are to be considered when developing applications that allow users to submit links which are then later opened in a new window.

AngularJS is an open-source web application framework mainly maintained by Google and by a community of individuals and corporations to address many of the challenges encountered in developing single-page applications.

Amazon Web Services (AWS), is a collection of cloud computing services that make up the on-demand computing platform offered by Amazon.com. These services operate from 12 geographical regions across the world.

Hack is a programming language for HHVM. Hack reconciles the fast development cycle of a dynamically typed language with the discipline provided by static typing, while adding many features commonly found in other modern languages.